This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASC- Cannot connect.

Hi,
I'm using the new ASC to try and connect to v5.025 IPSEC roadwarrior.
I'm getting disconnected with the following errors.

21/10/2004 7:34:48 PM  Turning on NATD mode - Micromine - 1
21/10/2004 7:34:48 PM  XMIT_MSG5_MAIN - Micromine
21/10/2004 7:34:48 PM  XMIT_MSG5_MAIN_RESUME - Micromine
21/10/2004 7:34:48 PM  NOTIFY : Micromine : RECEIVED : INVALID_ID_INFORMATION
21/10/2004 7:34:48 PM  RECV_MSG6_MAIN - Micromine
21/10/2004 7:34:48 PM  NCPIKE-phase1:name(Micromine) - error - PAYLOAD_MALFORMED
21/10/2004 7:34:48 PM  NCPIKE-phase2:name(Micromine) - error - cleared by phase1
21/10/2004 7:34:48 PM  IPSDIAL  - disconnected from Micromine on channel 1.

Could someone explain?  Has anyone got it working?

This thread was automatically locked due to age.

Parents

0 Stephan_Scholz over 21 years ago

Hi Simon,

it looks to me as if the VPN identifiers don't match. If you use X.509 and the VPN ID for the client is *not* configured as Distinguished Name (DN) on ASL, then make sure that you enter the correct ID on the client (Profile Settings->Local identity Type + ID).
If that doesn't help, what does the ASL ipsec.log say?

Regards,
Stephan
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 21 years ago in reply to Stephan_Scholz

OK I created a DN type X.509 cert.

In the client I set Identity-Type to : ASN1 Distinguished Name
ID: is blank, is that right?

When connecting ASL reports:
2004:10:22-10:32:16 (none) pluto[1299]: "D_Roadwarrior_0"[6] 203.153.227.210:4500 #128: Main mode peer ID is ID_IPV4_ADDR: '203.153.227.210'
2004:10:22-10:32:16 (none) pluto[1299]: "D_Roadwarrior_0"[6] 203.153.227.210:4500 #128: Issuer CRL not found
2004:10:22-10:32:16 (none) pluto[1299]: "D_Roadwarrior_0"[6] 203.153.227.210:4500 #128: Issuer CRL not found
2004:10:22-10:32:16 (none) pluto[1299]: "D_Roadwarrior_0"[6] 203.153.227.210:4500 #128: no suitable connection for peer '203.153.227.210'
2004:10:22-10:32:16 (none) pluto[1299]: "D_Roadwarrior_0"[6] 203.153.227.210:4500 #128: sending notification INVALID_ID_INFORMATION to 203.153.227.210:4500

This is starting to piss me off [:)]
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Simon Shaw over 21 years ago in reply to Stephan_Scholz

OK I created a DN type X.509 cert.

In the client I set Identity-Type to : ASN1 Distinguished Name
ID: is blank, is that right?

When connecting ASL reports:
2004:10:22-10:32:16 (none) pluto[1299]: "D_Roadwarrior_0"[6] 203.153.227.210:4500 #128: Main mode peer ID is ID_IPV4_ADDR: '203.153.227.210'
2004:10:22-10:32:16 (none) pluto[1299]: "D_Roadwarrior_0"[6] 203.153.227.210:4500 #128: Issuer CRL not found
2004:10:22-10:32:16 (none) pluto[1299]: "D_Roadwarrior_0"[6] 203.153.227.210:4500 #128: Issuer CRL not found
2004:10:22-10:32:16 (none) pluto[1299]: "D_Roadwarrior_0"[6] 203.153.227.210:4500 #128: no suitable connection for peer '203.153.227.210'
2004:10:22-10:32:16 (none) pluto[1299]: "D_Roadwarrior_0"[6] 203.153.227.210:4500 #128: sending notification INVALID_ID_INFORMATION to 203.153.227.210:4500

This is starting to piss me off [:)]
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Simon Shaw over 21 years ago in reply to Simon Shaw

Fixed, with help from Stephan Scholz [:)]

If your clients address is NAT'ed you *must* use a virtual IP for the client certificate and setup this IP in the client.

Keywords: Astaro Secure Client NAT IKE phase 1
Cancel
Vote Up 0 Vote Down

Cancel
0 WmLongman over 21 years ago in reply to Simon Shaw

I'm getting the same error with PSKs. No discernible pattern to why this is failing. All I see in the ASL log is a complaint about multiple ipsec.secrets entries and a final "unsupported exchange type ISAKMP_XCHG_MODE_CFG in message".
Cancel
Vote Up 0 Vote Down

Cancel